Optional: Create an OU and User Accounts for FIM CM Agents

  • Article

Applies To: Forefront Identity Manager Certificate Management

If you prefer to set the FIM CM and potentially configure those accounts in a particular organizational unit (OU), you may do so in advance of installation. This allows you to meet organizational naming standards, fit a specific Group Policy management scheme, and match a specific directory hierarchy.

The following table summarizes the accounts and permissions required by FIM CM. You can allow the FIM CM create the following accounts automatically, or you can create them prior to installation. The actual account names can be changed. If you do create the accounts yourself, consider naming the user accounts in such a way that it is easy to match the user account name to its function.

FIM CM Agent User Accounts

Account Description and permissions

FIM CM Agent

Provides the following services:

  • Retrieves encrypted private keys from the CA.

  • Protects smart card PIN information in the FIM CM database.

  • Protects communication between FIM CM and the CA.

This user account requires the following access control settings:

  • Allow logon locally user right.

  • Issue and Manage Certificates user right.

  • Read and Write permission on the system Temp folder at the following location: %WINDIR%\Temp.

  • A digital signature and encryption certificate issued and installed in the user store.

FIM CM Key Recovery Agent

Recovers archived private keys from the CA.

This user account requires the following access control settings:

  • Allow logon locally user right.

  • Membership in the local Administrators group.

  • Enroll permission on the KeyRecoveryAgent certificate template.

  • Key Recovery Agent certificate is issued and installed in the user store. The certificate must be added to the list of the key recovery agents on the CA.

  • Read permission and Write permission on the system Temp folder at the following location: %WINDIR%\Temp.

FIM CM Authorization Agent

Determines user rights and permissions for users and groups.

This user account requires the following access control settings:

  • Membership in the Pre-Windows 2000 Compatible Access domain group.

  • Granted the Generate security audits user right.

FIM CM CA Manager Agent

Performs CA management activities.

This user must be assigned the Manage CA permission.

FIM CM Web Pool Agent

Provides the identity for the IIS application pool. FIM CM runs within a Microsoft Win32® application programming interface process that uses this user’s credentials.

This user account requires the following access control settings:

  • Membership in the local IIS_WPG group.

  • Membership in the local Administrators group.

  • Granted the Generate security audits user right.

  • Granted the Act as part of the operating system user right.

  • Granted the Replace process level token user right.

  • Assigned as the identity of the IIS application pool, CLMAppPool.

  • Granted Read permission on the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CLM\v1.0\Server\WebUser registry key.

  • This account must also be trusted for delegation.

FIM CM Enrollment Agent

Performs enrollment on behalf of a user. This user account requires the following access control settings:

  • An Enrollment Agent certificate that is issued and installed in the user store.

  • Allow logon locally user right.

  • Enroll permission on the Enrollment Agent certificate template (or the custom template, if one is used).

Creating an OU and Agent Accounts for FIM CM

The following procedure is not required, but is recommended for administrative organizational purposes. In the following procedure, you will create a specific organizational unit (OU) named FIMCMObjects in which to store the Active Directory user accounts that FIM CM utilizes. You will then create the six required accounts that FIM CM utilizes for providing services.

To create an OU and Accounts for FIM CM

  1. While logged in to DC1 as User1, open Active Directory Users and Computers (dsa.msc).

  2. In the console tree, right-click the corp.contoso.com domain, click New and then click Organizational Unit.

  3. In the New Object - Organizational Unit dialog box, in Name, type FIMCMObjects, and then click OK.

  4. In the console tree, right-click the FIMCMObjects container, click New, and then click User.

  5. In the New Object – User dialog box, in Full Name type FIM CM Agent.

  6. In User logon name, type FIMCMAgent and then click Next.

    Note

    The actual account name that you use is up to your organizational naming scheme or your discretion. You can name the FIM CM whatever you would like, the important part is that you assign them the appropriate permissions. This can be done automatically by using the installation wizard discussed in Configuring the FIM CM Service or you may choose to do this manually.

  7. Type a password that you will remember for both Password and Confirm password.

    Important

    The password you use should meet the complexity requirements of your organization.

  8. Clear User must change password at next logon.

  9. Select the Password never expires.

  10. Click Next and then click Finish.

  11. Create the additional five accounts that are required by FIM CM using the same settings as described in this procedure, but with the names described in the following table. The account names can vary from those suggested below. The important part is that you can match the user account roles to the services they provide and assign the appropriate permissions to these accounts.

    Full Name User logon name

    FIM CM Key Recovery Agent

    FIMCMKRAgent

    FIM CM Authorization Agent

    FIMCMAuthAgent

    FIM CM CA Manager Agent

    FIMCMManagerAgent

    FIM CM Web Pool Agent

    FIMCMWebAgent

    FIM CM Enrollment Agent

    FIMCMEnrollAgent

Previous topic

Prepare AD DS for FIM CM Installation

Next topic

Optional: Create an OU and Security Group for FIM CM Users

See Also

Concepts

Installing and Configuring FIM CM Infrastructure